Check out the Dell Networking: Multitenancy with VRF-lite white paper. I describe in detail how multitenency can be achieved on supported Dell Networking switches via Virtual Routing and Forwarding (VRF). VRF-lite supports multitenancy by allowing multiple different routing tables within one physical L3 switch/router. This allows for a multitenant network without having to buy additional hardware. In the diagram directly below, each color represents a different customer tenant utilizing the same IP address space (overlapping IP addresses). Such a setup can also be useful for development and testing where traffic isolation is needed; the overlapping IP addresses can be used for ensuring consistency between each development/test environment.
Up to 64 VRF instances, 1 to 63 and the default VRF (0), are supported; there is no restriction on the number of VLANs that can be assigned to a VRF instance. The total number of routes supported in VRF is limited only by the size of the IPv4 CAM. Additionally, OSPFv2/OSPFv3, RIP, ISIS, BGP is supported both on physical and logical interfaces. However, only OSPFv2 and BGP are supported on both default and non-default VRF ports; others are supported only on the default VRF ports.
Route leaking is also supported across VRF Instances using static routes, meaning any static or dynamic route can be leaked or distributed to another VRF via static route commands.
As mentioned, one specific use case is a business like an ISP/service provider leveraging VRF-lite to provide separate isolated networks for customers without having to acquire and install additional hardware.
Another interesting use case could be in virtualized environments leveraging Network Virtualization Overlays (NVOs) where multitenancy is also needed on the physical network when bridging between logical and physical environments.
For example, a technology like VMware NSX can be utilized to provide network virtualization and multitenancy in the logical space. At the same time, if tenant workloads will be traversing both the logical and physical network, VRF-lite can be used on the physical network. This will allow for multitenancy with overlapping IP addresses across both the logical and physical network/resources.
An example application could be the mapping of non-virtualized resources (Ex: databases, file servers, etc) in the physical environment that need to be part of a tenant’s environment where the physical resources for each tenant will also utilize the same IP address space across all tenants.
Another possible application could be the need for multitenancy across two remote locations with one location employing NVO and the other location using traditional VLANs with VRF-lite on the physical environment.
The figure below presents an example where each VXLAN Network Identifier (VNI) on the logical network maps to a VLAN on the physical network. Each tenant logical switch (represented by a VNI) connects to a different distributed logical router (not shown) in the logical space and maps to a VLAN in the physical space.
Below is a lab setup in which I’ve already configured VRF-lite. Each color represents a different tenant as in the prior images. Observe how there are overlapping IPs for each tenant on the same switch.
The below commands entered on the top S6000 switch confirm overlapping IP addresses on different VLANs on the same switch.
The below commands display the routing table for each VRF on the top S6000 switch.
Below I confirm tenant communication across the switches via the ‘ping’ command.